Share

Written by

A Pennsylvania credit union has sued fintech giant Fiserv for allegedly failing to address persistent vulnerabilities in the platform that powers its banking websites and online applications.

In a lawsuit filed Friday, Bessemer System Federal Credit Union said that the web platform maintained by Fiserv, is “plagued with security vulnerabilities that affect the privacy of thousands of Bessemer’s members.”

Those vulnerabilities were “based on baffling and amateurish security lapses,” the document alleges.

The complaint describes Wisconsin-based Fiserv’s technology as the “lifeblood of Bessemer” in that it is used to run the website, generate statements and track deposits.

But now, the credit union says it’s ditching Fiserv, a Fortune 500 company that says it has some 12,000 clients in over 80 countries.

“To protect the credit union’s members, the credit union is replacing its core processing vendor and will be taking appropriate legal action against the vendor,” said Charles Nerko, a lawyer representing Bessemer System FCU. Reached by phone, Nerko declined to comment further.

The credit union is claiming it is owed relief from alleged damages caused by Fiserv on a number of grounds – including alleged negligence, unfair trade practices, and breach of contract.

The complaint, which was filed in a Mercer County, Pennsylvania court, also accused Fiserv of threatening “civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties.”

Fiserv spokeswoman Anna Cave said the company does not comment “outside of the legal process on pending legal matters.”

Fiserv earned $5.8 billion in revenue in 2018, according to SEC filings. It is one of three companies whose technology accounts for much of the digital infrastructure used by small banks, according to a recent Wall Street Journal article. Some small banks have started to chafe at their reliance on the services provided by those “core vendors,” The Journal reported.

By contrast, Bessemer System FCU is a local outfit, based in the northwestern Pennsylvanian town of Greenville and founded nearly 80 years ago by employees of the Bessemer and Lake Erie Railroad, according to its website. According to data from the National Credit Union Administration, Bessemer has 4,311 members that account for nearly $38 million in assets.

This is not the first time that public attention has been brought to security issues in the Fiserv platform. Last August, independent security journalist Brian Krebs reported that the company had just plugged a “glaring weakness” in its platform that had exposed personal and financial data on customers across hundreds of bank websites.